Layer7 API Management

Expand all | Collapse all

Pass-through auth via LDAP

Jump to Best Answer
  • 1.  Pass-through auth via LDAP

    Posted 09-13-2019 03:38 PM
    Edited by Petar Banicevic 09-14-2019 07:15 AM
    I want to set up LDAP pass-through:

    LDAP Client -> Gateway listener -> Policy -> Internal LDAP
    [----- SSL 1 -------------------------------][---- SSL 2 --------------------]

    I am exploring possibility:

    LDAP Client -> Gateway l7.raw.tcp listener -> policy using assertion "Raw TCP Routing" -> Internal LDAP
    [----- SSL 1 ------------------------------------------][---- SSL 2 ------------------------------------------------------------------]

    But how to terminate and setup SSLs, can someone clarify steps need to be done ?
    ( content type application/octet worries me too (in raw listener and assertion tcp routing )).

    Is there more appropriate solution for LDAP pass thru ?

  • 2.  RE: Pass-through auth via LDAP
    Best Answer

    Broadcom Employee
    Posted 09-15-2019 07:46 PM
    Dear Petar,
    Usually we use an identity provider for authentication,
    1. create ldap identity provider,
    2. on your policy,
    require http basic credentials
    authenticate against xxx identity provider
    (xxx is the name of your ldap identity provider in step 1)


  • 3.  RE: Pass-through auth via LDAP

    Posted 10-01-2019 02:15 PM
    Edited by Petar Banicevic 10-01-2019 02:49 PM
    Dear Mark

    I did what you have proposed but I am not sure it's solving my problem. Maybe we are talking about different scenario. To clarify:

    • My phone has settings in which I am supposed to enter LDAP server address, and phone talks with LDA"P" protocol. In my case that LDAP server will be the gateway itself that should check for LDAP injection, if no injection then pass thru the data to the internal LDAP server.

    In your last post you have proposed to making a simple LDAP connector which was easy... When you suggested doing a policy with basic auth and I got lost because policies are linked to HTTP listener (GET/POST/etc) while phone talks LDAP, it's not HTTP. That's why I asked if I should use RAW listener.

    Are we on the same page with this question ?


    PS - even worse is that phone is coming with LDAPS protocol, so gateway is the termination point, and before passing-thru to internal ldap, I need again to LDAPS.... but leave this part out for now.

  • 4.  RE: Pass-through auth via LDAP

    Broadcom Employee
    Posted 10-01-2019 07:44 PM
    In my opinion, it's not a good practice to let the client to query ldap directly.
    But if that's how it was designed, then the client should connect to the real ldap server.
    The gateway is not a ldap.

    If you want to hide the ldap server, then the client needs to be changed to use other authentication methods, such as oauth/http basic/client cert/etc. which supported by layer7 gateway.